How do I configure $FWDIR/conf/fwopsec.conf?

[BarryStiefel]

How do I configure $FWDIR/conf/fwopsec.conf?



The following comes from Check Point's OPSEC API Specificiation.

The configuration information establishing how VPN-1/FireWall-1 will communicate with other OPSEC applications is defined in the file fwopsec.conf, located in the $FWDIR/conf directory in FireWall?-1 4.1, $CPDIR/conf in NG.

To configure VPN-1/FireWall-1 as an OPSEC Client, define its connection with the OPSEC Server in fwopsec.conf using the following syntax: server ip-address port-number connection-typeThe parameters are explained in the table below.



Value Meaning server Literally "server" ip-address The server's IP address in dot format port-number The port number connection-type One of the following: Value Meaning opsec Authenticated only by IP address (clear) auth_opsec Authenticated with putkeys ssl_opsec Authenticated and encrypted with SSL

Example: server 133.45.67.102 18182 ssl_opsecThis means that the Server on port 18182 at IP address 133.45.67.102 uses SSL, which provides authenticated and encrypted connections.



Configuring VPN-1/FireWall-1 as an OPSEC Server



To configure VPN-1/FireWall-1 as an OPSEC Server, define its connection with OPSEC Clients in fwopsec.conf using the following syntax: server-name port-type port-numberFor an authenticated connection, use the following format:

server-name port-type port-number server-name auth_type authenticationThe parameters are explained in the table below.



Value Meaning server-name Of the form XXX_server where XXX is an OPSEC service (LEA, SAM, etc). port-type Either port for an unauthenticated, unencrypted communication or auth_port for an authenticated and/or encrypted. port-number Port number. authentication Either auth_opsec for an authenticated connection or ssl_opsec for authentication and encryption.

Example lea_server auth_port 18184 lea_server auth_type ssl_opsecThis means that VPN-1/FireWall-1 is configured as a LEA Server that communicates with the LEA Client on port 18184. The connection between Server and Client is authenticated and encrypted.



SAM Server as Proxy



A SAM Client's request for action is addressed to one or more FireWalled? hosts through which a given connection should be inhibited or closed.

A SAM Server may act in agent mode or in proxy mode. When in agent mode, the SAM Server inhibits or closes the given connection through its local VPN/Firewall Module. When in proxy mode, the SAM Server passes the request on to other SAM Servers as appropriate. These Servers may in turn pass the requests on to other SAM Servers, until the action request reaches all the specified hosts.

A SAM Server that is located on a VPN-1/FireWall-1 Management Station always functions in proxy mode. By default, a SAM Server that is not located on a Management Station functions in agent mode. That is, it can only process the action requests that are directly addressed to itself. To change the mode of a SAM Server that is not located on a Management Station from agent to proxy, modify $FWDIR/conf/fwopsec.conf so that the value of fw_allow_remote_requests is set to yes, as follows: fw_allow_remote_requests yes

-- PhoneBoy - 31 Dec 2003

FAQForm FAQs.Class: ContentSecurityFAQs OperatingSystem?: FAQs.Version: